Google Warns Apple: Missing Bugs in Your Security Bulletins Are 'Disincentive To Patch'

Apple has not documented some high-severity bugs it patched that were reported to it by Google's Project Zero researchers. From a report: While it's good news that Apple beat Project Zero's 90-day deadline for patching or disclosing the bugs it finds, the group's Ivan Fratric recently argued that the practice endangered users by not fully informing them why an update should be installed. This time the criticism comes from Project Zero's Ian Beer, who's been credited by Apple with finding dozens of serious security flaws in iOS and macOS over the years. Beer posted a blog about several vulnerabilities in iOS 7 he found in 2014 that share commonalities with several bugs he has found in iOS 11.4.1, some of which he's now released exploits for.

Beer notes that none of the latest issues is mentioned in the iOS 12 security bulletin even though Apple did fix them. The absence of information about them is a "disincentive" for iOS users to patch, Beer argues. "Apple are still yet to assign CVEs for these issues or publicly acknowledge that they were fixed in iOS 12," wrote Beer. "In my opinion a security bulletin should mention the security bugs that were fixed. Not doing so provides a disincentive for people to update their devices since it appears that there were fewer security fixes than there really were."

Hard to argue it's much of a disincentive

[SuperKendall]

iOS12 despite being less than a month old, is on something like 50% of active devices now - who else achieves that kind of patch rate?

Most users will never even look at basic patch notes, much less security info. The people it might disincentive are maybe 0.00000000000000000000000000000000000001% of the user base.

Maybe.

That said I totally agree they SHOULD say when a security bug is fixed so at least everyone has a better idea of what has improved without testing.

Users should be in the habit of upgrading

[Arkham]

The reason that iOS has an upgrade rate that's 10x that of Android is because Apple has conditioned its users to constantly upgrade their OS. My wife upgrades her iPhone without knowing or caring what's in the update. It's always something that makes her phone better in her mind. The only people who care about CVEs are security researchers and extreme geeks like me.

If you say "iOS 11.4.1 fixed CVE-2018-4293 which allowed cookies to persist unexpectedly in CFNetwork calls" to 99.99% of Apple's customers, the only word in that sentence that the might understand is cookies, and their take is "cookies are bad". Putting this in the patch notes doesn't mean anything to regular humans, and it shouldn't.

People should be able to trust that their device manufacturer will keep their phone safe. Apple is the only phone manufacturer (except maybe Google) that does this, and they're the only one people trust to do so.